I wouldn't bet on that, i've seen a lot of security geeks being SEd and I am sure that anyone can be manipulated more or less, given some time, effort and resources.

If you can't touch your mark, or he/she doesn't respond to your actions then consider moving on to their closest friends and see what you can do from there. Oh, and even the most paranoid security geeks out there tend to lower their guard in front of a nice looking girl

Social Engineering is focusing on the weakest chain of the IT security. Humans and their psychology. A way of exploiting all weakness of a person’s character, based upon simple lies to applying psychological, brutal violence upon the “subject”.

This new IT branch has a history of thousands years, and can be located in our history, under the terms “diplomacy” or “warfare”. Both terms, are indicating, situations and circumstances where “canning minds” were capable of turning around, historical events, to their benefit. Evaluating situations and opponents are crucial in those two cases as it is in Social Engineering.

I will proceed now to more details regarding Social Engineering, starting with, “specifications of Social Engineer” as they are rarely stated, comparing to other details of this area.

Social Engineer is not a simple fraud-man. He should be more than that. Patience and Intelligence is one of the most important tools of his, which need to be developed constantly as they are associated, in a way, with a “live” branch of technology which is computers. In order to “trick” someone and gain his trust ,he really needs to be updated, as to ask the right questions and do not fall into the “trap” of giving himself up. For example, if this “Engineer” tries to find a password and then asks where the “login field” is, then he is “out of the game”. Intelligence is developed ,through experience and of course education ,made out of any kind of scripts or books he can find, regarding psychology and human behavior. “Stepping” on opponent’s weaknesses or mistaken reactions, is the key to accomplish his goal. Patience, how ever needs to be gained with much harder way, as he needs to enforce his will over himself. Something that very few are able to do.

Using that “equipments” now can give him the first step, in order to begin his quest on exploring, human behaviors and reactions. No matter if the other person is a simple user or a master technician, only one thing can make the difference. It is the “know-how” of the right timing for applying questions and psychological techniques. The ability to know , when and how to put down his “pressure points” to gain the right reaction from the “talking opponent” at the other side of the phone or from the man , right in front of him.

How can I do that, someone might say?It needs a plan, is the answer, as all things in real life. An engineer needs to evaluate first the targeted person and explore his weak and strong points. Make his "victim", feel secure, in order to bring down his defenses, as to manage the “entry point” to his behavior and psychological personality. Most people are quite easy to handle if you are able to access their “ego” through vanity. For example , a question like “ I never had any problems with your account , since it seems you are a good user and all, so I really need you to …blah…blah” is pointing to his “ego” and making him feel “superior”. Easier for him to make mistakes like this, as his vanity takes over and “clouds” his reason. It is the same way as most of us guys, try to compliment women, in order to bring down their defenses, in order to approach them, more.

So “ego” is the magical word for a social engineer. Manipulating that area of the mind is able to give, him the right reaction and trigger a sequence of questions and actions, to his benefit. Applying now psychological force is the opposite of boosting the target’s ego. Setting a question of such a nature, could “put in the corner” your targeted person, with a fake threat of a “management report” to possible “letting you go, for this mistake or unauthorized access”. Putting the “subject” in that hard position is most of the times, providing results, although it could backfire, especially if the engineer is talking to a “bad-tempered” person. Leading things into a fight is never, good for the guy who wants to manipulate situations. “Anger is the worst mind general” is stated at “Art of War” by Sun Tzu and that is more than true. Reason and arguments with "deep meanings" are always useless in tough situations, so fights or quarrels, always lead to the failure of an engineer’s effort to gain data.

How now, can I understand if my actions with the person, I am talking to ,can lead to successful attempt and avoid a possible exposure of my intentions, someone might say? Experience and Intelligence, is the answer. People are always different and it is very rare, to run into a type of personality, that you have “tricked” before with the same method. I do not have to mention here, that repeating methods is always a dangerous thing, as you never know, who the other person is, or if he is a friend of a previous target.

Over the phone, is true, that it is hard to understand who the other person really is, on the other end of the line, and how will he react to your questions or psychological tricks. There are though some tricks that could guide you, if you really know how to use your voice’s volume and tone. For example if you are sure that you are , talking to a lower level employee , a tone with authority , would provide you with an advantage over the other person , and give you the ability to “demand” more straight and direct answers.(tip. Do not apply that on Manager’s secretaries as they are trained to avoid “not-wanted” people).

Impersonating an IT asst. admin (the description of the imaginary title also plays a role here, as the more complicated it sounds the more influence has on their minds) and demanding in a strict voice his assistance, in solving a problem, could give you unexpected gains.

If now you are talking to a manager (not IT manager) then you should really try to exploit their wish for showing themselves as “grant employees” to their bosses, by implying that their help to solve that problem will be mentioned or that you will provide some “benefits” to him/her, after their provided assistance.

Depending to their reaction, you can now proceed to a more sophisticated way of removing data from them, in a way that will leave them satisfied for doing their part of the job.

Speaking now, for the technical area of social engineering, you have to think of the greater picture. Social Engineering is only a branch that is associated to the so called Security Area in IT fields. Footprinting, Forensics are just few of the other security techniques that can provide you with proper data, in order to arrange your plan. All of them should run or executed simultaneously in order to provide wished results for the engineer.

Movies show Social engineers, trying to steal data, by trash-diving, speaking over the phone, sending phony messages or even steal paper bills from the victim’s mailbox , at home. But what happens when personal confrontation is in order? Is there any method to extract, data as “painless” and as fast as possible? The answer is negative here, but there are ways to “smooth” this job a bit. Those ways are reflected and based, mostly upon , how the human body moves and reacts to external stimulations , caused by words or just by another person’s appearance. We all tend to react in some sort of way, when we do not want to participate in something that repulses us, despite if that is a conversation or just a glance at someone’s face. This is the weak spot, where an experienced social engineer should take advantage of.

Every person is totally different, when it comes on speaking for his own personality. In fact, no one is similar to the person next to him, but we all tend to react by using some actions (defined and classified by our society behavior), which could be described in some stereotypes.

For instance a person who is “closed” to others, he tends to stand or sit, with his hands, placed near his body or even crossed in front of his chest, something that shows, defenses are up, towards anyone who will try to get close or even tries to talk to him. His chin is usually close to his chest, and pointing to the ground. Similar to the way a fighter is protecting it during a boxing round. He, then, really needs to feel that the other person is somehow “harmless” to him. This could be achieved with a joke or even a fake impersonation, of being sympathetic to a problem of his. His sense for security lack, then will be reduced and it is up to the engineer to handle, further discussion. Defensive persons are always easy to break down, especially if the “cracker” is equipped with social skills, like nice smiles and of course the ability to “break the ice” in a company, full of strangers.

Quite the opposite is happening, when the opposing person is an “aggressive” type. They are easy to be spotted, as they tend to brag and have neurotic and sudden, sharp moves of their bodies. Hands and legs are noticed ,to always, being occupied with something or just moving in a rhythmical movement.(like knees going up and down while sitting on a chair) This is usually, a sign of stress or anxiety about something, which most of the times has nothing to do with the engineer. They like to hear themselves talking all the time and really try to be the centre of the world’s attention. Maybe in not such obvious ways, as described here, but they really feel this need and if they feel somehow satisfied by the presence of the other person, it is quite easy to gain data from them.

Aggressive types do have though a small “handicap” when trying to break their defense. They could be unpredictable, if they are handled the wrong way and feel “threatened” and I really suggest, that possible failure, should trigger the immediate stop, of any activity towards a “social engineering” attack. Unless, of course, the “cracker” is very sure of himself.

The most dangerous type, I think, is the one that seems to sit, at the other chair, doing absolutely nothing and having limited expressions while listening to the “cracker”. It shows that, this person is either equipped with a lot of experience to this kind of talks, or he is just not interested to listen. In both cases, any attempt to proceed, with that attack, will lead to certain failure and of course to the exposure of the attacker.

The above, mentioned types, are nothing more than a simple explanation of a person’s visual appearance and certainly not a step-by-step guide to follow. In real life, Social engineering attacks are usually ending up in failures, as there are no real experts in human psychology, running around in the IT area, trying to hack-crack-search sites or data storages. Professional pen-testers or IT marketing consultants who are trained to evaluate and apply psychology techniques are paid, with great amounts of money to provide services. They certainly would not do it, for a laugh or out of fun. Keep in mind though that, even them, could be driven to mistakes.

Talking about mistakes and learning from them, I think that the best school, about social engineering, exists only in very few places, called…… Parliaments. The “houses” of diplomacy, where the “science” of speech and arguments are exercised in full. Watching some of their sessions, could give magnificent examples on how to drive a person to the expected result, by manipulating senses, words and phrases and by using his weaknesses as your own weapons. The “art” of locating the right word or essence, in order to confront his words and use your own intelligence ,as to gain. A really “hard-ball” game, where losses are a great defeat and not just a failed attempt. So, it is definitely a great school, for those who want to use their speech as the ultimate weapon in gaining data and control over others.

Fortunately or unfortunately, the “art” of speech is something that would not be gained over a month or a year. It takes a lot of practice along with studying every kind of script or document regarding politics, diplomacy, psychology, and in general what is relating to sophisticated expressions of the human mind. So I suggest that all, ambitious, future social engineers, take under serious consideration, how to talk and how to use the “art of speech”.

In conclusion, Social Engineering is something more than a simple, fraud or other scam technique, in order to deceive someone. It is a mix of intelligence and the ways of using logical arguments, as to gain the wished result or the advantage to get one step closer to your target. Based upon the most ancient science, or better described as skill, of the human nature. The “Art of speech”.

This is from a Survey done in 2003 by/at InfoSecurity Europe - there was a similar survey done earlier this (or late last) year which el reg reported on, which actually targeted Information Security professionals - a group of unidentified survey-takers approached InfoSec professionals at an event and asked them for a variety of pieces of information purporting to be doing a survey, telling people that by participating they could win a prize; the information collected included information about maiden names, pets, and family, which no legitimate survey would have any use for - and shockingly, the vast majority of the target audience gave enough information away to enable identity fraud. One participant even commented on this, saying that she worked at a bank, and that the information they were asking her for would let them open a bank account in her name. She gave them the information.

Thankyou for your post, Gandalf.. you've made many extremely interesting points! One which I don't quite agree with you on (or which if we do agree, deserves clarification), however, is the following:

Quote:

Social Engineering is focusing on the weakest chain of the IT security. Humans and their psychology. way of exploiting all weakness of a person’s character, based upon simple lies to applying psychological, brutal violence upon the “subject”.

This is true - Social Engineering generally is the weakest portion of an organisation's security; however, I would argue that the job of IT Security professionals is to reduce the risk of this 'weakest chain' - biometric authentication and minimum privilege are two examples of this - although you can never prevent an attacker from gaining information through a staff member or user which that staff member or user has access to, by enforcing secure authentication and giving staff/users access strictly to the data they need, you can create a system which makes Social Engineering difficult and restricts the results solely to information that the employee themself has access to, hopefully making it more likely that a would-be intruder will have to resort to SE'ing more employees, or breaking in in other ways, in order to fully break into a company's sytems, increasing the risk of detection.

Unfortunately, most organisations don't even get steps such as these right, and few back it up with the training required to provide extra protection against this form of intrusion.

Actually biometrics and limmited privilleges are increasing the level of security , but it also increases the level of "user unfriendly" procedures for an employee of yours which will need to go through certain "channels" and time to do his/her job.
An IT pro will find enough company managers , disagree with that , as this will cost companies more time and of course more money. It will be easier to educate them how to confront any Social Engineering attempts with certain sentences , like "Please wait a minute to confirm this with my supervisor" or " i will get back to you leave me , your phone nymber". They are quite effective in a typical "speech social attack". Of course this is only a sample what could you achieve with such an education. There are many more things to learn , like how to erase and protect sensitive data (shredding, password wallets and so on). Education-training is the ultimate weapon to this kind of attacks , which also provide security to those people in their every day life. We all hear of people who are giving away their PINs in a simpel mail request , used in piscing techiniques...

Today , an announcement was made in EU , stating that biometric passports are going to be published at 1/1/2006 for all E.U. members. This chip is going to contain all personal data and it would be scanned from a 10cm distance , i f i remember right.
The question is following...
How many people are familiar with that passport and the data that will contain in it? There will be some serious attempts to steal or missues it , by malicious persons with several social engineering techniques. Like impersonating an airport employee and scan it with a mobile reader.

Training is A-Z importance , as our technology is improving. If we wont follow this advancement , then we will find ourselves in a whole lot of problems. And that includes companies.

It will be easier to educate them how to confront any Social Engineering attempts with certain sentences , like "Please wait a minute to confirm this with my supervisor" or " i will get back to you leave me , your phone nymber". They are quite effective in a typical "speech social attack".

Some good phrases to introduce would be give me your name phone number and I'll get back to you.
This is a good one as you can confirm that someone is from the organisation they claim to be.
Also things such as password resets should only be carried out if it can be confirmed by speaking to the persons manager to confirm they are who they say they are and you phone them back.
Password resets are a big risk and need to be controlled.

"according to a new survey. Two out three three people (180 of 272)
approached in a downtown San Francisco street by researchers were happy
to provide their password in exchange for a coffee gift card. Of those
respondents that declined offering their actual password, 51 provided a
clue about their password in exchange for a $3 Starbucks gift voucher."

"In computer security, social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. A social engineer runs what used to be called a "con game". For example, a person using social engineering to break into a computer network would try to gain the confidence of someone who is authorized to access the network in order to get them to reveal information that compromises the network's security. They might call the authorized employee with some kind of urgent problem; social engineers often rely on the natural helpfulness of people as well as on their weaknesses. Appeal to vanity, appeal to authority, and old-fashioned eavesdropping are typical social engineering techniques.

Another aspect of social engineering relies on people's inability to keep up with a culture that relies heavily on information technology. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it. Frequently, social engineers will search dumpsters for valuable information, memorize access codes by looking over someone's shoulder (shoulder surfing), or take advantage of people's natural inclination to choose passwords that are meaningful to them but can be easily guessed. Security experts propose that as our culture becomes more dependent on information, social engineering will remain the greatest threat to any security system. Prevention includes educating people about the value of information, training them to protect it, and increasing people's awareness"

Social engineering is a form of security attack in which the attacker tries to acquire information about the computer systems. network, passwords etc by talking to the employees of an organization. Thus, a social engineering attack may occur over the phone, via chat rooms, message boards, talking etc. The main purpose is to get access related information which can be later on used to gain access to confidential and critical organizational information systems.

To me using Social Engineering to gather sensitive information from a business or even a home user is nothing more than a "con artist" at work hurting businesses or home users. I don't understand why when you discuss Social Engineering why you don't call it a con artist at work to do harm?

Simplifying Social Engineering as just "con artist" is a over simplification of a very deep area of professional studies. It uses any and all tools discovered in psychology, sociology, technology and is ever evolving in each area of study which all lead to tools and techniques.

Moderator note: edited to fix quote (enabled BBCode) - capi

I disagree completely.

The root of Con Artist, is Confidence Artist. It is the art of getting someone to display confidence in you, to believe you, and to do what you say to do.

Social Engineering is pretty much an updated phrase to represent Con Artist. The problem is, most people think of Confidence Men as petty crooks, or guys who swindle old floridians out of retirement funds.

Confidence Men were often well educated, or if not, learned how people reacted to a great degree, and learned quickly. They also thought quickly on their feet. And a Con Man today is likely to know as much or more about computers as the next guy.

I would tend to agree with liquidz. As security gets better only the best of hackers will be able to get into systems the old fashioned way. However, there will always be people willing to give information away if they feel it is needed for an important purpose. No matter how many times you tell people never to give out personal information over the phone, if you can convince them you need the information for a legitimate purpose they won't be the wiser, until they get burned. It takes at least some in depth knowledge to hack into a system, just about anyone can use social engineering to get into a system.

You will also underatdn the terms "egomaniac" and "self agrandisement" as well.
Some good bits of information in the book but it is a little bit too "look at me, I'm really clever, and I'm going to explain this very slowly and carefully for you because I know you are a bit dumber than me". Sorry, but the style of the book just grates on me.